MTP/PTP device controls is too broad
Suggestion: Split MTP/PTP out into multiple categories (webcams/printers/scanners/mobile devices), or keep it as is, but create an "advanced configuration" section where each type of device is listed with it's own Allow/Block option.
If I allow MTP/PTP, I allow access to the storage on mobile devices. This is obviously a security concern for companies with DLP requirements.
If I block MTP/PTP, I block mobile phone storage, but also printers, scanners, cameras and possibly more I'm unaware of. So now I have to manually add these devices to the exemption policy on a per device basis, creating a LOT of additional work as the admin.
I was told by support that adding a peripheral by "Model", would allow all devices with the same model name, but this was not the case.
If I added "Integrated Webcam" enforce by "Model", this does not allow all integrated webcams to work, I have to on a case by case basis allow the integrated cam for each user.
There are other things to consider for this suggestion as well, such as allowing printing/scanning, but blocking access to the SD card reader on a printer.
No plans to implement at this time
So what that says to me is the product team thinks there is no room for improvement in device controls. We've been Sophos Central customers for a year and I've not seen a single improvement to device controls in that time. This feature request could make Endpoint Protection a stronger product and a lot easier to manage.